Your message dated Wed, 03 Jun 2026 01:35:53 +0000
with message-id <[email protected]>
and subject line Bug#1138220: fixed in python-pip 26.1.2+dfsg-1
has caused the Debian Bug report #1138220,
regarding python-pip: CVE-2026-8643
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138220
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-pip
Version: 26.1.1+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-pip.
CVE-2026-8643[0]:
| Path traversal via malicious entry point name in pip wheel
| installation allows arbitrary file overwrite
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8643
https://www.cve.org/CVERecord?id=CVE-2026-8643
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2460927
[2] https://github.com/pypa/pip/commit/8eb178480bd1a2b223f509fc430796b265158dfb
[3] https://github.com/pypa/pip/pull/14001
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-pip
Source-Version: 26.1.2+dfsg-1
Done: Stefano Rivera <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-pip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <[email protected]> (supplier of updated python-pip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 02 Jun 2026 18:37:59 -0400
Source: python-pip
Architecture: source
Version: 26.1.2+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Stefano Rivera <[email protected]>
Closes: 1138220
Changes:
python-pip (26.1.2+dfsg-1) unstable; urgency=high
.
* New upstream point release.
- Fixes: CVE-2026-8643: Rejects entry point names that escape scripts dir
(Closes: #1138220)
Checksums-Sha1:
780eda2a91bc01938d64b0cd3ceffeb2d37d01c8 1857 python-pip_26.1.2+dfsg-1.dsc
e27ab8591331c4d91cf737b4bc20b9dd28fe107b 1121136
python-pip_26.1.2+dfsg.orig.tar.xz
9ab69a60082961b96b5549bd8e91b3791e161767 22084
python-pip_26.1.2+dfsg-1.debian.tar.xz
f1602152623f5caae9f8889c8d3fbe11c2512761 6717
python-pip_26.1.2+dfsg-1_source.buildinfo
Checksums-Sha256:
6dc938fa1aa236e06c8c2dc2752f0044adb886edd42dbea02662152f0cbff356 1857
python-pip_26.1.2+dfsg-1.dsc
5c151b799b9bae833ccebb1e5308b9d18707ce7ba4a224f648d0bf4853ac0fb9 1121136
python-pip_26.1.2+dfsg.orig.tar.xz
a878f1abf804d45efcdff8f8adc56da5d79c5ecc6e3cc27ac55fa145c52916f0 22084
python-pip_26.1.2+dfsg-1.debian.tar.xz
5ef66e0452316995a6b23163df80c9087c2d7a8786492699aa22a67eb8cd0aa7 6717
python-pip_26.1.2+dfsg-1_source.buildinfo
Files:
43e44bfb866fa15638a43a83a16f1a6b 1857 python optional
python-pip_26.1.2+dfsg-1.dsc
abb678d36284b2c5935f430d3bf40671 1121136 python optional
python-pip_26.1.2+dfsg.orig.tar.xz
ac36c0a332e2626dc7d83dbe6bdd1ff1 22084 python optional
python-pip_26.1.2+dfsg-1.debian.tar.xz
afbcfc0d649fdf8cd4e654f8d20fd83d 6717 python optional
python-pip_26.1.2+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCah9/vxQcc3RlZmFub3JA
ZGViaWFuLm9yZwAKCRBHew2wJjpU2AuJAP4gLl3ezplskqlbKJhQA6RltGXufgX0
J0IZ70am3ukQkQEA02tvnOY2eKU2LGQCeeKsFzyirD0b+yF4ycqOG7MIiAk=
=e4h7
-----END PGP SIGNATURE-----
pgp2gl5jikPXJ.pgp
Description: PGP signature
--- End Message ---
